home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The PC-SIG Library 13
/
PC-Sig Library (13th Edition) (PC-SIG) (1994).ISO
/
virus
/
clean104.doc
< prev
next >
Wrap
Text File
|
1993-12-13
|
22KB
|
532 lines
CLEAN-UP Version 9.15V104
Copyright (C) 1990 - 1993 by McAfee Associates
All rights reserved.
Documentation by Aryeh Goretsky.
McAfee Associates, Inc. (408) 988-3832 office
3350 Scott Blvd., Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (25 lines)
U.S.A USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
InterNet support@mcafee.COM
TABLE OF CONTENTS:
SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . .2
- What is CLEAN-UP?
- System Requirements
AUTHENTICITY . . . . . . . . . . . . . . . . . . . . . . . . .2
- Verifying the integrity of CLEAN-UP
WHAT'S NEW . . . . . . . . . . . . . . . . . . . . . . . . . .3
- New features and viruses added in this release
OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . .3
- General description of CLEAN-UP
OPERATION and OPTIONS . . . . . . . . . . . . . . . . . . . . .5
- How to use CLEAN-UP, detailed explanation of switches
EXAMPLES . . . . . . . . . . . . . . . . . . . . . . . . . . .7
- Samples of frequently-used options
REGISTRATION . . . . . . . . . . . . . . . . . . . . . . . . .8
- How to register CLEAN-UP
TECH SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . .8
- Information to have ready when calling for tech support
APPENDIX A . . . . . . . . . . . . . . . . . . . . . . . . . .9
- Foreign language support for CLEAN-UP
Page 1
CLEAN-UP Version 9.15V104 Page 2
SYNOPSIS
CLEAN-UP (CLEAN) is a virus disinfection program for IBM PC
and compatible computers. CLEAN searches through the partition
table, boot sector, or files of a PC to remove viruses specified
by the user. In most instances, CLEAN repairs infected areas
of the system, restoring them to their pre-infected state.
CLEAN removes all viruses identified by the current version of
VIRUSCAN. CLEAN can also remove new or unknown viruses using
recovery information stored by SCAN [See VIRUSCAN's
documentation for details].
CLEAN runs on any PC with 400Kb and DOS 2.00 or above.
AUTHENTICITY
CLEAN performs a self-test when run. If CLEAN has been
modified in any way, a warning will be displayed. However,
CLEAN is still able to remove viruses. If CLEAN reports it
has been damaged, a new, undamaged copy should be obtained.
CLEAN is packaged with VALIDATE, a program to check
the integrity of CLEAN.EXE. The VALIDATE.DOC file explains
its usage. The VALIDATE program distributed with CLEAN may
be used to check new versions for tampering or damage.
The validation results for Version 104 should be:
FILE NAME: CLEAN.EXE
SIZE: 144,637
DATE: 05-03-1993
FILE AUTHENTICATION
Check Method 1: 6848
Check Method 2: 0EEE
If your copy of CLEAN.EXE differs, it may have been modified.
Always obtain CLEAN from a known source. The latest version of
CLEAN and validation data can be obtained from McAfee
Associates' bulletin board system at (408) 988-4004, from the
McAfee Virus Help Forum on CompuServe (GO MCAFEE), and by
anonymous ftp from the mcafee.COM site on the Internet.
All of McAfee Associates' programs are archived with
Version 1.10 of PKWare's PKZIP Authentic File Verification.
When unzipped with Version 1.10 of PKWare's PKUNZIP program,
an "-AV" will be displayed after each file is unzipped and an
"Authentic Files Verified! # NWN405 Zip Source: McAFEE
ASSOCIATES" will appear once all files are unzipped.
NOTE: If you do not receive the Authentic File Verification
messages, you may be using a different version of
PKUNZIP, such as V1.93α or V2.04. Use PKUNZIP Version
1.10 to unzip files if you wish to have Authenticity
Verification displayed as files are unzipped.
CLEAN-UP Version 9.15V104 Page 3
WHAT'S NEW
Version 104 includes new removers for the 1757, Barrotes
Coahuila, Math Test, Monkey, and XTAC viruses, as well as a
re-write of the boot sector virus removal code. CLEAN has been
updated to recognize all the new viruses added in the current
release of VIRUSCAN.
New features added in this release include:
· The /AD switch has been enhanced to allow all local
drives, all networked drives, or both to be scanned.
· The /BMP switch has been added to clean viruses from OS/2
Boot Manager partitions.
· The /UNATTEND switch has been made a default setting (it
was required for networked and multitasking computers).
CLEAN displays messages in English (default); foreign
language support is available for many other languages. Please
refer to APPENDIX C for information on foreign language support.
Please refer to the enclosed VIRLIST.TXT file for a short
description of the new viruses. For more detailed descriptions,
please refer to Patricia Hoffman's virus summary listing (VSUM).
OVERVIEW
CLEAN searches the system for viruses to remove. When an
infected file is found, CLEAN isolates and removes the virus and
in most cases repairs the infected file and restores it to
normal operation. If the file is infected with an uncommon
virus, CLEAN displays a warning message asking whether to
overwrite and delete the infected file. Erased files are non-
recoverable.
Before running CLEAN, verify the infection with VIRUSCAN.
SCAN will locate and identify the virus and provide the I.D.
code used by CLEAN. The I.D. is displayed inside the square
brackets, "[" and "]." For example, the I.D. code for the
Jerusalem virus is displayed as "[Jeru]". This I.D. must
be used with CLEAN to remove the virus. The square brackets
"[" and "]" MUST be included.
If SCAN finds an unknown virus in a file that has had
validation or recovery data stored for it, it will warn that an
infection has occurred. It will not, display an I.D. code.
NOTE: When CLEAN is run with the /GENERIC or /GRF options
to disinfect files or system areas based on recovery
information stored by SCAN, no I.D. code should be
used.
Please refer to the VIRUSCAN documentation for instructions
in adding recovery information to your system.
CLEAN-UP Version 9.15V104 Page 4
The common viruses that CLEAN-UP is able to remove while
repairing and restoring the infected programs or system areas
are:
555 644 696 730
748 855 1008 1024
1139 1241 1253 1339
1554 1575*+ 1757 1992
2560 4096*+ Air Cop* Alabama+
Alameda Antitelefonica Azusa Barrotes
Beeper Black Monday+ Bloody! Boys
Cansu Cascade*+ Coahuila Creeper
Curse Dark Avenger*+ DataLock+ December 28+
Devil's Dance Dir-2 Disk Killer* EDV*
Empire* Enigma Fellowship+ Filler
Fish+ Flash Flip*+ Form
Generic Boot Generic MBR Ghost Haifa
Holocausto Invader*+ Irish_3 Jerusalem*+
Joshi KeyPress*+ Korea* Lazy
Lehigh Liberty+ Lisbon* Little Girl2
Little Girl3 Loa Duong M128 Maltese Amoeba
Mardi Bro.'s Math Test Michelangelo Monkey
Mosquito Multi-2 Murphy*+ Music Bug
Nomenclature Pakistani Brain*Perfume Ping Pong*
Plastique*+ Possessed Print Screen-2* R-11+
SBC Slayer Slow+ Stoned*
Striker+ Sunday+ Sunday2+ SVC+
Taiwan 3+ Taiwan 4+ Tequila Tokyo
Topo Traceback/3066 Troi Typo Boot
V800 V-801 VACSINA*+ Vienna*
Violator*+ VirDem XTAC
Whale*+ Yankee Doodle*+ ZeroBug
*Denotes virus with more than one strain
+Denotes virus which attaches to overlays
AN IMPORTANT NOTE ABOUT .EXE FILES: Some viruses infecting .EXE
files may not be removed successfully if the .EXE loads itself
as an internal overlay. Instead of attaching to the end of the
.EXE file, the virus may attach to the beginning of the overlay
area, and corrupt the program. CLEAN will truncate files
infected in this manner. If a file no longer runs after being
cleaned, replace it from the manufacturer's original disk or
virus-free backups.
AN IMPORTANT NOTE ABOUT PARTITION TABLE VIRUSES (e.g., Stoned):
Removing a partition table-infecting virus like the Stoned
can cause loss of the partition table on systems partitioned
with programs other than DOS, e.g., Disk Manager or SpeedStor.
As a precaution, back up all critical data before running CLEAN.
Loss of the partition table can result in the LOSS OF ALL DATA
ON THE DISK.
CLEAN-UP Version 9.15V104 Page 5
OPERATION and OPTIONS
IMPORTANT NOTE: TURN OFF YOUR PC AND BOOT FROM A CLEAN DOS
SYSTEM-BOOTABLE DISK BEFORE BEGINNING. RUN
CLEAN FROM A WRITE-PROTECTED DISK TO PREVENT
INFECTION OF THE CLEAN.EXE PROGRAM FILE.
Power down the infected system and boot from a clean,
write-protected system-bootable diskette. This insures that the
virus is not in system memory and prevents reinfection. After
cleaning, power down the PC, boot from the system disk, and run
VIRUSCAN to ensure the system has been successfully disinfected.
After cleaning the hard disk, copy the SCAN and CLEAN programs
on to it and check all floppy disks that have been in
contact with the system.
CLEAN displays the name of infected files or system areas,
the virus found, and reports a "successful" disinfection for
each virus removed. If a file has multiple infections, CLEAN
will report the virus has been removed successfully for each
infection.
Select valid options for CLEAN-UP from the list below:
CLEAN {drive(s)} [virus I.D.] {options}
^
|
`---- NOTE: The square brackets "[" and "]"
are required around the I.D. code.
Options are:
{drives} - indicate drive(s) to be cleaned
[virus I.D.] - Virus identification code provided by
SCAN when a virus is detected (See the
VIRLIST.TXT file for a complete list.)
/A - Check all files for viruses
/AD{x} - Clean all drives {L = Local, N = Network}
/E .xxx .yyy .zzz - Clean overlay extensions .xxx .yyy .zzz
/GENERIC - Clean unknown viruses
(see below for specifics)
/GRF {filename} - Clean unknown viruses using recovery
data file {filename}
/MAINT - Clean "invalid media" error (damaged)
disk
/MANY - Check multiple disks for viruses
/NOEXPIRE - Do not display expiration notice
/NOPAUSE - Disable screen prompting
/REPORT {fname} - Create report file {fname}
CLEAN-UP Version 9.15V104 Page 6
/A - This option checks all files on the drive(s) scanned and
also examines a greater portion of files. This substantially
increases the amount of time required to check disks and also
increases CLEAN's ability to detect viruses infecting overlay
files. It is recommended this switch only be used when an
overlay-infecting virus is found. This option takes priority
over the /E option.
/AD{x} - This option cleans all drives of viruses. If /ADL
is used, all local drives are checked, including compressed
drives and CD-ROM's. If /ADN is used, all networked drives
are checked. To clean local and network drives, use /AD by
itself.
/E .xxx .yyy .zzz - This option allows additional extension(s)
to be cleaned. Extensions should include a period "." and each
extension must be separated by a space after the /E. Up to
three extensions may be added with the /E. For more extensions,
use the /A option instead.
/GENERIC - This option is used to clean files or system areas
that have been infected with a new (unknown) virus. For
/GENERIC to work, recovery information must have been stored
prior to infection by VIRUSCAN's /AG option. No virus I.D. code
is required when using the /GENERIC switch.
/GRF {filename} - This option is used to clean files or system
areas that have been infected by a new (unknown) virus. For
/GRF to work, recovery data and validation codes must have been
saved by VIRUSCAN's /AF option to {filename}. No virus I.D.
code is required when using the /GRF switch.
/MAINT - This option is used to clean hard disks partitioned
with DOS 4.0 or above that have been damaged by a boot sector
or partition table virus, or partitioned with non-DOS
partitions, such as Novell NetWare/386 or IBM OS/2 386HPFS.
Attempts to access damaged or non-DOS disks result in an
"Invalid media" message being displayed.
/MANY - This option is used to clean multiple disks placed in
the same drive. If you have more than one floppy disk to check
for viruses, the /MANY option allows you to check them without
running CLEAN multiple times.
/NOEXPIRE - This option disables a warning message that CLEAN
displays after seven months warning that it may no longer be
current with respect to known viruses.
CLEAN-UP Version 9.15V104 Page 7
/NOPAUSE - This option disables the "More? (H = Help)" prompt
displayed when CLEAN fills up a screen with 24 lines of text.
This allows CLEAN to be run on PC's with severe infections
without user assistance.
/REPORT {filename} - This option saves the output of CLEAN to
{filename} in ASCII text format. If {filename} exists, CLEAN
will erase it and create a new report
EXAMPLES
The following examples show different option settings:
CLEAN C: D: E: [JERU] /A
To remove the Jerusalem virus from drives C:, D:, and
E:, searching all files for the virus
CLEAN A: [STONED]
To remove the Stoned virus from the disk in drive A:
CLEAN C:\MORGAN [DAV] /A
To remove the Dark Avenger virus from subdirectory
MORGAN on drive C:, searching all files for the virus
CLEAN B: [DOODLE] /REPORT C:YNKINFCT.TXT
To remove the Yankee Doodle virus from drive B: and
create a report named YNKINFCT.TXT on drive C:
CLEAN C: /GENERIC
To remove an unknown virus from drive C: using
recovery data stored by SCAN's /AG option.
CLEAN C: D: /GRF A:\SCANCRC.CRC
To remove an unknown virus from drives C: and D: using
recovery data stored by SCAN's /AF option.
CLEAN-UP Version 9.15V104 Page 8
REGISTRATION
A registration fee of US$35.00 is required for the use of
CLEAN-UP by individual home users. Registration entitles the
holder to unlimited free upgrades from McAfee Associates' BBS
or the Computer Virus Help Forum on CompuServe and technical
support for one year. When registering, a diskette containing
the latest version may be requested for an additional US$9.00.
Only one diskette mailing will be made.
Registration is for home users only and does not apply to
businesses, corporations, organizations, government agencies, or
schools, which must obtain a license for use. Contact McAfee
Associates directly or an Authorized Agent for more information.
TECH SUPPORT
For fast and accurate help, please have the following
information ready when you contact McAfee Associates:
· Program name and version number.
· Type and brand of computer, hard disk, plus any
peripherals.
· Version of DOS plus any TSRs or device drivers in use.
· Printouts of your AUTOEXEC.BAT and CONFIG.SYS files.
· A printout of what is in memory from the MEM command
(DOS 4 and above users only) or a similar utility.
· The exact problem you are having. Please be as
specific as possible. Having a printout of the
screen and/or being at your computer be will helpful.
McAfee Associates can be contacted by BBS, CompuServe, FAX, or
InterNet 24 hours a day, or by telephone at (408) 988-3832,
Monday through Friday, 7:00AM to 5:30PM Pacific Time.
McAfee Associates, Inc. (408) 988-3832 office
3350 Scott Blvd. Bldg. 14 (408) 970-9727 fax
Santa Clara, CA 95054-3107 (408) 988-4004 BBS (25 lines)
U.S.A USR HST/v.32/v.42bis/MNP1-5
CompuServe GO MCAFEE
Internet support@mcafee.com
If you are overseas, there may be an Authorized McAfee Associates
Agent in your area. Please refer to the AGENTS.TXT file for a
listing of McAfee Associates Agents for support or sales.
CLEAN-UP Version 9.15V104 Page 9
APPENDIX A: CLEAN-UP'S FOREIGN LANGUAGE SUPPORT
CLEAN-UP can display messages in a foreign language by
reading in a replacement set of messages from an external
file named MCAFEE.MSG. When the MCAFEE.MSG file is placed in
the same directory as the SCAN.EXE file, SCAN will display
messages from the foreign language module instead of displaying
messages in English (American). Currently, SCAN is bundled with
two .MSG files, FRENCH.MSG and SPANISH.MSG, which contain
messages in French (European) and Spanish (Latin America),
respectively.
To use a foreign language module, rename it to MCAFEE.MSG
and place it in the same directory as the CLEAN.EXE file. When
CLEAN-UP is run, it will check for the MCAFEE.MSG file and use it,
if found.
Support for other languages such as Chinese, Dutch, Finnish,
French (Canadian), German, Hungarian, Norwegian, Portuguese,
Russian, Spanish (European), Swahili, Swedish and Bulgarian is
planned for future releases. Contact your local McAfee Associates
Authorized Agent or McAfee Associates directly for availability.